All Apps and Add-ons

Error in 'litsearch' command: Your Splunk license expired or you have exceeded your license limit too many times.

Path Finder

Hi Team

I am getting this error

Error in 'litsearch' command: Your Splunk license expired or you have exceeded your license limit too many times.

when searching for ossec in splunk. So many have posted answer for this error.

But i am not getting the correct pin point to solve this issue.

Please let us know how to solve this issue. I am sure this error regarding on license how to rectify it

Tags (1)
0 Karma
1 Solution

Path Finder

Hi Team,

Finally issue got resolved. The problem is i am using Forward license for that default Licensed daily volume is 1MB.

Then i changed that option to Free license then i am getting Licensed daily volume is 500MB.

To change that option go to Setting --> Licensing - > change license group.

In that select free license then you will get 500 MB per day.

View solution in original post

0 Karma

Path Finder

Hi Team,

Finally issue got resolved. The problem is i am using Forward license for that default Licensed daily volume is 1MB.

Then i changed that option to Free license then i am getting Licensed daily volume is 500MB.

To change that option go to Setting --> Licensing - > change license group.

In that select free license then you will get 500 MB per day.

View solution in original post

0 Karma

New Member

I take back my last posting about the Splunk>answers page not being useful. Right after I posted my comment, and right before I logged off, I clicked on the question, instead of the green button, and the answers appeared. I was thinking the green button would make the answers show up. In any event I would like to thank iamarunk for his answer: "Setting-->Licensing->change license group. I am new to Splunk, and I was making my first attempt at installing a heavy forwarder on the free Splunk version of Enterprise. I was doing the Setting-->Licensing-> part right, but I was clicking on Enterprise, instead of the free version at the bottom. I had been very frustrated at the error messages telling me my license was expired, when I didn't even have a license, for real. In any event I was able to get data from my search, so I can now proceed with my class. So thanks again to iamarunk.

0 Karma

Motivator

Hey @iamarunk,

Here's how licensing works

  1. Free Splunk : cannot exceed 3 violations in a rolling 30 day window
  2. Enterprise Splunk (With active license): cannot exceed 5 violations in a rolling 30 day window

If it's an Enterprise Splunk Instance with active License, please contact your Splunk Support person to get a reset key. Once you add the reset key, the search functionality will resume (Your indexing does not get interrupted due to this btw)

After you resume the search functionality, go to LURV/ License utilization . If you are in a distributed setup, these metrics will be found on your license master.

Check for hints as to what and how this license overage has caused and correct it. Here's what i would do

  1. Check which index/host/Business unit is consuming license more than it's entitled to
  2. Filter the data upfront (Before it hits the Indexers)
  3. If all the data is required/already filtered, start a dialogue with Business/Splunk teams to buy more license.

Hope this helps!

Thanks,
Raghav

Path Finder

Hi Raghav,

Thanks for your reply. I am using Free splunk . For this free splunk i have received this error

For free splunk the violations exceed 3 . Now how to rectify it.

Shall uninstall and install splunk again. It will resolve my issue

Regards
Arun

0 Karma

Motivator

can you check in licensing for license violations. After 5 license violations in a 30days period splunk stops searching

------------
Hope I was able to help you. If so, an upvote would be appreciated.
0 Karma

Path Finder

Hi Diogofgm,

Thanks for your help. Now i have exceeded the 5 license violations.

Please let us know how to rectify it.

0 Karma